Meta-theorem (induction lemma) in TLA+

53 views
Skip to first unread message

shinsa82

unread,
Jul 25, 2019, 12:55:33 PM7/25/19
to tlaplus

I want to prove a meta-theorem (or induction lemma, tactic) for a specification and reuse it in other proofs, like Coq.

I wonder if its possible or not.


Consider the following spec:


----

vars == <state variables>


Act1 == ...

Act2 == ...


Next == Act1 \/ Act2

Spec == Init /\ [][Next]_vars

----


Then we expect the following lemma hold for any non-temporal formula "Invariant", and we want to use it to prove, say, its type invariance.

(I know its too simple. Actually I want to consider more complicated cases)

I was able to prove the lemma, but I could not "apply" the lemma to the type invariant theorem.

Is there anything wrong?


----

LEMMA SpecInduction == 

    ASSUME

        NEW Invariant,

        ASSUME Init PROVE Invariant,

        ASSUME Invariant, Act1 PROVE Invariant',

        ASSUME Invariant, Act2 PROVE Invariant',

    PROVE

        Spec => []Invariant

PROOF

    <1>1. Init => Invariant OBVIOUS

    <1>2. Invariant /\ Next => Invariant' OBVIOUS

    <1>3. Invariant /\ UNCHANGED vars => Invariant' OBVIOUS

    <1> QED BY PTL, <1>1, <1>2, <1>3 DEF Spec

----

Stephan Merz

unread,
Jul 29, 2019, 2:52:56 AM7/29/19
to tla...@googlegroups.com
Hello,

for a lemma involving temporal operators to be useful, its hypotheses should be "boxed", i.e. occur in the scope of an always operator. For example, you could state

LEMMA BoxImplies ==
  ASSUME NEW TEMPORAL F, NEW TEMPORAL G,
         []F, [](F => G)
  PROVE  []G

and then use this lemma somewhere in a proof about temporal properties. For details, please see section 8.3 of [1]. In practice, we never state lemmas of (propositional) temporal logic because the PTL decision procedure proves them automatically.

Also note that your proof only goes through only because "NEW Invariant" implicitly means "NEW CONSTANT Invariant", hence the formula Invariant' in steps <1>2 and <1>3 gets rewritten to Invariant, and these steps are therefore tautologies. It is certainly not what you had in mind.

Regards,
Stephan

-- 
You received this message because you are subscribed to the Google Groups "tlaplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/61020587-764f-43bf-859f-24001b37baa4%40googlegroups.com.

shinsa82

unread,
Jul 30, 2019, 10:06:13 PM7/30/19
to tlaplus
Stephan,

Thank you for your answer. My understanding is that basically I should make PTL prove concrete proposition for each theorem instance (without using metatheorem). I'm reading [1], I also gonna read the section.

By the way, is there any way to declare a formula including variables by "NEW <something> Invariant"?

2019年7月29日月曜日 15時52分56秒 UTC+9 Stephan Merz:
To unsubscribe from this group and stop receiving emails from it, send an email to tla...@googlegroups.com.

Stephan Merz

unread,
Jul 31, 2019, 2:43:01 AM7/31/19
to tla...@googlegroups.com
By the way, is there any way to declare a formula including variables by "NEW <something> Invariant"?

For introducing new identifiers in assumptions you can write

NEW [ CONSTANT | STATE | VARIABLE | ACTION | TEMPORAL ] <id>

and if you don't specify a level, it defaults to CONSTANT. For a state-level formula such as an invariant, you want to write

NEW STATE Inv

Regards,
Stephan

To unsubscribe from this group and stop receiving emails from it, send an email to tlaplus+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tlaplus/d3afd887-ba2f-4b58-b001-b5484a6f5da1%40googlegroups.com.

shinsa82

unread,
Aug 6, 2019, 5:49:55 AM8/6/19
to tlaplus
Got it. Thank you!

2019年7月31日水曜日 15時43分01秒 UTC+9 Stephan Merz:
Reply all
Reply to author
Forward
0 new messages